[vlc-commits] skins: fix signed overflow in bitmap allocation
Rémi Denis-Courmont
git at videolan.org
Sun Jan 10 12:50:49 UTC 2021
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Tue Dec 22 19:06:02 2020 +0200| [12ebbfb1ccd1f9acfb26d818f3f5dbd7723af0a8] | committer: Rémi Denis-Courmont
skins: fix signed overflow in bitmap allocation
Reported-by GitHub team members: @erik-krogh, @geoffw0, @MathiasVP, @owen-mc
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=12ebbfb1ccd1f9acfb26d818f3f5dbd7723af0a8
---
modules/gui/skins2/src/file_bitmap.cpp | 7 ++++++-
modules/gui/skins2/src/ft2_bitmap.cpp | 10 ++++++++--
modules/gui/skins2/src/generic_bitmap.cpp | 10 ++++++++--
modules/gui/skins2/src/scaled_bitmap.cpp | 8 ++++++--
4 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/modules/gui/skins2/src/file_bitmap.cpp b/modules/gui/skins2/src/file_bitmap.cpp
index 658bdc122f..c9505be370 100644
--- a/modules/gui/skins2/src/file_bitmap.cpp
+++ b/modules/gui/skins2/src/file_bitmap.cpp
@@ -38,6 +38,7 @@ FileBitmap::FileBitmap( intf_thread_t *pIntf, image_handler_t *pImageHandler,
{
video_format_t fmt_out;
picture_t *pPic;
+ unsigned size;
video_format_Init( &fmt_out, VLC_CODEC_RGBA );
@@ -61,7 +62,11 @@ FileBitmap::FileBitmap( intf_thread_t *pIntf, image_handler_t *pImageHandler,
m_height = fmt_out.i_height;
video_format_Clean( &fmt_out );
- m_pData = new uint8_t[m_height * m_width * 4];
+ if (mul_overflow((unsigned)m_width, (unsigned)m_height, &size)
+ || mul_overflow(size, 4, &size))
+ throw std::bad_alloc();
+
+ m_pData = new uint8_t[size];
// Compute the alpha layer
uint8_t *pData = m_pData, *pSrc = pPic->p->p_pixels;
diff --git a/modules/gui/skins2/src/ft2_bitmap.cpp b/modules/gui/skins2/src/ft2_bitmap.cpp
index 08ce4a3421..7b1c468705 100644
--- a/modules/gui/skins2/src/ft2_bitmap.cpp
+++ b/modules/gui/skins2/src/ft2_bitmap.cpp
@@ -27,9 +27,15 @@
FT2Bitmap::FT2Bitmap( intf_thread_t *pIntf, int width, int height ):
GenericBitmap( pIntf ), m_width( width ), m_height( height )
{
+ unsigned size;
+
+ if (mul_overflow((unsigned)width, (unsigned)height, &size)
+ || mul_overflow(size, 4, &size))
+ throw std::bad_alloc();
+
// Allocate memory for the buffer
- m_pData = new uint8_t[m_height * m_width * 4];
- memset( m_pData, 0, m_height * m_width * 4 );
+ m_pData = new uint8_t[size];
+ memset(m_pData, 0, size);
}
diff --git a/modules/gui/skins2/src/generic_bitmap.cpp b/modules/gui/skins2/src/generic_bitmap.cpp
index 60edecca40..a0c40f404a 100644
--- a/modules/gui/skins2/src/generic_bitmap.cpp
+++ b/modules/gui/skins2/src/generic_bitmap.cpp
@@ -57,8 +57,14 @@ BitmapImpl::BitmapImpl( intf_thread_t *pIntf, int width, int height,
GenericBitmap( pIntf, nbFrames, fps, nbLoops ), m_width( width ),
m_height( height ), m_pData( NULL )
{
- m_pData = new uint8_t[width * height * 4];
- memset( m_pData, 0, width * height * 4 );
+ unsigned size;
+
+ if (mul_overflow((unsigned)width, (unsigned)height, &size)
+ || mul_overflow(size, 4, &size))
+ throw std::bad_alloc();
+
+ m_pData = new uint8_t[size];
+ memset(m_pData, 0, size);
}
diff --git a/modules/gui/skins2/src/scaled_bitmap.cpp b/modules/gui/skins2/src/scaled_bitmap.cpp
index a85877b381..0bcbd02c4c 100644
--- a/modules/gui/skins2/src/scaled_bitmap.cpp
+++ b/modules/gui/skins2/src/scaled_bitmap.cpp
@@ -28,10 +28,14 @@ ScaledBitmap::ScaledBitmap( intf_thread_t *pIntf, const GenericBitmap &rBitmap,
int width, int height ):
GenericBitmap( pIntf ), m_width( width ), m_height( height )
{
- // XXX We should check that width and height are positive...
+ unsigned size;
+
+ if (mul_overflow((unsigned)width, (unsigned)height, &size)
+ || mul_overflow(size, 4, &size))
+ throw std::bad_alloc();
// Allocate memory for the buffer
- m_pData = new uint8_t[m_height * m_width * 4];
+ m_pData = new uint8_t[size];
int srcWidth = rBitmap.getWidth();
int srcHeight = rBitmap.getHeight();
More information about the vlc-commits
mailing list